a1e9d109e5
Build & push image / build-and-push (push) Successful in 5s
Per a Gadfly self-review finding (kimi-k2.7-code): an issue_comment can start a secret-bearing run before the in-container allowed-users check. Add a workflow if: that only lets trusted actors trigger via comment (PR/dispatch already trusted); keep GADFLY_ALLOWED_USERS as the belt-and-suspenders layer. README documents it + the default-branch caveat for comment triggers. (Docs/examples only — paths-ignored, no image rebuild.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> EOF
57 lines
2.1 KiB
YAML
57 lines
2.1 KiB
YAML
# Gadfly using a LOCAL Ollama daemon (no API key needed).
|
|
# Copy to .gitea/workflows/adversarial-review.yml in your repo.
|
|
#
|
|
# The runner must be able to reach the Ollama host. For localhost on the runner,
|
|
# leave GADFLY_BASE_URL unset; for a LAN box set it to http://<host>:11434.
|
|
#
|
|
# Pick a model you've pulled into Ollama (e.g. `ollama pull qwen2.5-coder:7b`).
|
|
|
|
name: Adversarial Review (Gadfly)
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, reopened, ready_for_review]
|
|
issue_comment:
|
|
types: [created]
|
|
workflow_dispatch:
|
|
inputs:
|
|
pr_number: { description: "PR number to review", required: true }
|
|
|
|
permissions:
|
|
contents: read
|
|
issues: write
|
|
pull-requests: write
|
|
|
|
concurrency:
|
|
group: gadfly-${{ github.event.issue.number || github.event.pull_request.number || github.event.inputs.pr_number }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
review:
|
|
# Security: only trusted users may trigger a secret-bearing run via a PR
|
|
# comment (pull_request + workflow_dispatch are already trusted). Replace the
|
|
# username(s) below with your maintainers — keep them in sync with
|
|
# GADFLY_ALLOWED_USERS (the in-container belt-and-suspenders check).
|
|
if: >-
|
|
github.event_name != 'issue_comment'
|
|
|| github.actor == 'your-username'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
steps:
|
|
- uses: docker://gitea.stevedudenhoeffer.com/steve/gadfly:latest
|
|
env:
|
|
GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}
|
|
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
|
|
# --- local Ollama ---
|
|
GADFLY_PROVIDER: ollama
|
|
GADFLY_MODELS: qwen2.5-coder:7b
|
|
# GADFLY_BASE_URL: http://192.168.1.50:11434 # uncomment for a remote/LAN daemon
|
|
# --- event context (leave as-is) ---
|
|
EVENT_NAME: ${{ github.event_name }}
|
|
PR: ${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
|
|
PR_BRANCH: ${{ github.head_ref }}
|
|
IS_DRAFT: ${{ github.event.pull_request.draft }}
|
|
COMMENT_BODY: ${{ github.event.comment.body }}
|
|
COMMENT_ID: ${{ github.event.comment.id }}
|
|
ACTOR: ${{ github.actor }}
|